first step configure router to accept SDM session --------------------------------------------------commnads hostname CCNASEc username mohamed privilege 15 password 1234

ip domain name mody ip http server cryptto key genrate rsa int fa 1/0 ip address 10.0.0.1 255.255.255.0 no shutdown line vty 0 4 privilege level 15 ----> anyone may enter the privilege level directly login exit GO TO : the vmaware 1 and give the ip address of 10.0.0.2 --------------------------------------------------------(((((((((((((((((chapter 3 defending the perimeter )))))))))))))))))) commands : ---------()# security password min-lenght 10 10 characters is the min passwor d ---------()#enable secret cisco1234 ---> enable secret when enter the privilge mode :) and the password will be encryted in md5 128-bit "digest" --------------------------------------()#line console 0 ()#line aux 0 ()#password 1234 ()# password 1234 ()# login ()#login ()#line vty 0 4 ()# login ()# password 1234 -----------------------------# show running-config the password will be plain text so we made ()# service password-encryption ---> number 7 is the cisco proprietary encryptio n algorithm vigenere cipher ()#username mohamed secret 5 [enter the hashed valued ] ()#username mohamed secret 0 [ enter the password in clear text] ()# no service password-recovery ---> Rommom will no no longer accessible --------------------------------------------------------------------Limiting the number of failed login aattempts '''''''''''''''''''''''''''' ()#security authentication failure rate (5-1024) log--> by default a 15-second d elay afer 10 failed login attempt ---> command LOg to send log msg to syslog server login inactivity timer '''''''''''''''''''''' by default if the admin didn`t do anything the default timeout is 10 min , and c isco recommended not more than 3 min ()#line vty 0 4 (config-line)# exec-timeout 2 30 2min 30second (config-line)# exec-timeout 0 0 ----> disable the inactivity timer :(

CONFIGURING PRIVILEGE LEVER '''''''''''''''''''''''''''' ()#privilege exec level 5 debug --> to make dubug a privilge level 5 ()#enable secret level 5 1234 when enter the the privilge mode yoy >enable 5 :) -----------------------------------------------------------creating VIEWS & super view ''''''''''''''' 1) ()# aaa new-model -----> activate the AAA 2)# enable view ---> enter as root view level 15 3)()#parser view [name of view] 4) (config-view) secret 0 1234 5)(config-view) commands exec include all copy [ping, traceroute] (config-view) commands exec include ping 6)when entering #enable view [ name of view] optional ()#username mohamed view hi5 secret cisco --> assign username to a view :D :D CREATING SUPER VIEW ''''''''''''''''''' ()#parser view [name of super view] superview ()# secret cisco ()#view mody ()#view engy

--------------------------------------------------------Protecting Router Files '''''''''''''''''''' bootset-----> image and configuration file ()# secure-boot image -----> make ios image HIDDEN and not showed in the directo ry listed files ()#secure-boot confug -----> save the runnig configuration file to a server or whatever rommon1>boot slot0:c374-js2-mz.bin --->restore your resilint ios ()#secure-boot config restore flash :rescue-confg #show directory flash # show secure bootset

-------------------------------------------------------------------Enhancement fot virtual connections ---> NOT ENABLED BY DEFAULT ''''''''''''''''''''''''''''''''' ()# login block-for ----> 1 seconnd delay between succssive login attempts 'quiet perriod' the period of time in which virtual login attempts are blocked followed by repeated failed login attempts ()#login block-for [ quiet period in seconds]attempts [attempts] within [seconds ] ()#login quiet-mode access-class [acl nu or name]---> mention acl to execlude fr om quoet period ()#login delay ------> specify the delay between login attempts ()#login on-failure log ----> create msg for syslog ()#login on-success log # show login

()# banner motd $ this is a cisco router $ ---------------------------------------------------------------((((((((((((((((((((SDM CISCO SECURITY DEVICE MANAGER))))))))))))))) HTTPS Configuration commands '''''''''''''''''''''''''''''' ()# ip http server () ip http secure-server ()# ip http authentication local ()#username [] privilege 15 secret 0 [] HOW to connect the SDm 1) if the sdm on the router flash -->http://10.0.0.1 2) or use the sdm if u install it on the PC one-step lockdown ----> ()# auto secure ---------------------------------------------------------------------------------------------------SYSLOG terminal server is connected to all devices(router ,switches) via console port syslog by default sent to console , to send it to vty --> #terminal monitor ()#line vty 0 4 -line) logging synchronous --> to make configuration word comes after the logs :) ()# logging buffered --> to store the syslogs on router :D , # show log ()#logging [ip address of syslog server] ()#logging trap [set the trap level] ---------------------------------------------------sNMP ()# snmp-server community [ community name like domain] [ro,rw] ()# snmp-server enable traps ------> because its by default off ()#snmp-server community cisco rw 50 ------> rw:read&write , 50 : no of acl -----------------------------------------------------------SSH ()crypto key generate rsa ()#ip domain name ()#line vty 0 4 (-line)transport input ssh ()# ip ssh version 2 ()#ip ssh exec-timeout ()# ip ssh authentication-retries ----------------------------------------------------------------NTP #clock set #show clock ()#ntp master -------> to enable the ntp service for this route(ntp server route r) ()#ntp master [ ip of server] ()#ntp peer [ ip of the client]----> to set the clock of the client -------------------------------------------------------------AAA

()#aaa new-model ---> all old authentication commands will be removed ;) ()#tacacs-server host [ip add of ACs server] single-connection ()#tacacs-server key [cisco] ---->this key is assigned for this address ()#aaa authentication login [authentication list name] group tacacs+ local none->none(no authenti) ()# line vty 0 4 (-line)#login authentication [authentication list name] exit # debug aaa authentication # show tacacs ------------------------------------------------------------------------------------------access-list '''''''''''' standard access-list R1,R2,R3 close to the destination R3 :), used with nat , telnet , snmp ()# access-list 50 deny 192.168.1.0 0.0.0.255 ()access-list 50 permit any ()#int fa 0/0 ()#ip access-group 50 out ---------------------------------------------standrd access-list with telnet and snmp ()#access-list 51 permit 192.168.1.0 0.0.0.255 ()line vty 0 4 (config-line)access-class 51 in exit ()snmp-server community SUPER_SECRET_SNMP ro [no of acl list] 51 ---------------------------------------------extended access-list should be allowed close to the source '''''''''''''''''''' ()#access-list 100 permit tcp host host eq 80 ()#access-list 100 permit ip any any (-int) ip access-group 100 in -----------------------------------------------named access-list (flexible to add or remove any line unlike the numbred access list) ()#ip access-list extended mohamed (config-ext-naacl)#permit tcp host host equ 80 established (config-ext-naacl)#permit tcp host host equ 25 (config-ext-naacl)#permit ip host host #show ip access-list mohamed (config-ext-naacl)#no 20 ------------------> to delete a line (config-ext-naacl)# 40 permit ip host host -----> to squeez a line ()# ip access-list resequence mohamed [start of sequence] [step of sequence] ------------------------------------------------------------------------------------------------------(((((((((((switch))))))))))))))))))))))))))00 #show running-config interface fa 0/1 #show int fa 0/1 #show port-security interface fastethernet 0/8 #show port-security (-if)# switchport mode access -----> if pc (-if)#switchport port-security maximum 3 (-if)#switchport port-security violation (shutdown --> default ,protect,restric

t ) (-if)#switchport port-security mac-address ( sticky, xxx.xxx.xxx) (-if)#switchport port-security ----> to enable port security with max 1 VIP -----------------------------------------------------spannig-tree '''''''''''' (-if)spanning-tree guard root ---> applied to the root bridge to drop any lowest priority (-if)spanning-tree bpdu guard enable ---> for any port access :) (-if)spanning-tree portfast ()#spannig-tree portfast bpduguard default-->enable bpduguard for all portfast : ) ()#spanning-tree portfast default---> convert all accessports tp portfast :) ()#ip dhcp snooping ---> watch all ports (-if)ip dhcp snooping trust --> for the int which connected to dhcp srvr&trunk ports (-if)ip dhcp snooping limit rate 3---> for server port to slow the rate for dhcp starvation (-if)#ip arp inspection trust ------------------------------------------------------------------miscellaneuos security ---------------------SPAN on the same switch (Monitor ports) sniffing ''''''''''''''''''' ()#monitor session 1 source interface fa 0/1 - 20 [rx,sx,both traffic] ()#monitor session 1 destination interface fa 0/24--> port connected to my labt op RSPAN '''''' ()#monitor session 2 source int fa 0/1 ()#monitor session 2 destination remote vlan 999 storm control : to shutdown interface which send excessive traffic ''''''''''''''' (-if)#storm-control action shutdown (-if)storm-control[broadcast-multicast-unicast] level 70% ------------------------------------------------------------disabling DTP : dymanic trunking protocol ''''''''''''''''''''''''''''''''' (-if)#switchport trunk encapsulation dot1q (-if)#switchport mode trunk (-if)#switchport nonegoatioate (-if)#swichport trunk native valn 400----> change default vlan 1 to vlan 400 ----------------------------------------------------------(((((((((((dot1x))))))))))))))))))))) ()#dot1x system-auth-control (-if)#dot1x port-control [force-authorized/force-unauthorized/auto] ()#dot1x guest-vlan supplicant-----> to assign host which not support dot1x to g uest vlan (-if)#dot1x auth-fail max-attempts ----> to assign to restricted vlan (-if)#dot1x re-authenticate int fa 0/1--> when removing the static mac address ()#radius-server [ ip of radius server] #show dot1x #show aaa servers --------------------------------------------------------------------------